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SENDING OF PUBLIC KEYS BY MOBILE TERMINALS 

The invention relates to a public key infrastructure 

used in a mobile telephone network. 

The invention also relates to mobile electronic data 
5 processing terminals possessing in particular a SIM or 

WIM card. 

Such terminals can therefore be mobile telephones or 
WAP telephones . 

They have in common the feature of possessing a SIM 
10 or WIM card and thus of being already identified on a 

network in relation to the operator providing the user's 
mobile telephone service. 

To be more specific, the invention relates in 
particular to a public key infrastructure used in a 
15 mobile network. 

A universal and recurrent question in the field of 
networks is how to establish by remote means mutual trust 
between parties who do not know each other. The solution 
exists, and consists in using a public key infrastructure 
20 (PKI) . 

A public key infrastructure has the advantage of 
enabling parties using it to rely on a high-security 
layer providing strong authentication, signing, and 
encryption. However, it has the drawback that organizing 

25 it remains complex, lengthy, difficult, and therefore 
costly for an operator. 

At present, interactions between a certification 
authority and entities identified by certificates account 
for a major portion of certificate management, i.e. of 

3 0 approval operations essentially involving a public key. 
These interactions include operations such as 
registration for certification, certificate renewal, 
certificate revocation, backing up and recovering keys. 
In general, a certification authority (CA) must be able 

35 to authenticate the identities of the requesting entities 
before responding to requests. Moreover, requests need 
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to be approved by authorized administrators or managers 
before they are serviced. 

The means used by certification authorities to 
verify an identity before delivering a certificate may 
5 vary greatly. This variation depends in particular on 
the organization and the use of the certificate. 

To achieve more flexibility, interaction with users 
may be separate from other functions of the certification 
authority and managed by a separate service known as the 
10 registration authority (RA) . 

An RA acts as an interface to the CA in that it 
receives requests from users, authenticates them, and 
forwards them to the CA. After receiving a response from 
the CA, the RA notifies the user of the result. The RA 
15 can be useful on a PKI scale across different 

administrative regions, different geographical areas, and 
other entities that differ in terms of policy and 
authentication requests. 

The drawbacks of this infrastructure should be 
20 noted: it is long and costly to implement, it offers 

little flexibility in the generation of certificates (for 
reasons linked to certification policy) , it represents a 
high cost to users seeking to obtain a certificate, and 
it imposes a considerable management workload on the 
25 certification operator. 

In other words, a public key infrastructure offers 
high security but has the drawback of requiring prior 
registration with a registration authority. 

The invention aims to facilitate the public key 
30 certification process. 

That aim is achieved according to the invention by a 
certification method using a public key certification 
authority and involving at least one mobile terminal able 
to receive messages encrypted by that public key, the 
35 method being characterized in that it includes the step 
of the mobile terminal generating the public key, the 
step of a telecommunications network entity acquiring 
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said key from the terminal by means of a network call, 
the step of the network entity authenticating the 
terminal by a party authentication process used in 
relation to a standard telephone call, and the step of 
5 supplying the certification authority with the public key 
and the associated result of the authentication process. 

For example, a method of the above kind in 
particular enables a mobile network subscriber to 
generate a key pair before a certificate is issued by the 

10 operator. 

The invention also provides a mobile 
telecommunications system comprising at least one mobile 
terminal and one network entity, characterized in that it 
includes means in the mobile terminal for generating a 

15 public key, means in the telecommunications network 

entity for acquiring said public key from the terminal by 
means of a network call, and means for authenticating the 
terminal by means of an authentication process used in 
relation to a standard telephone call, the system further 

20 including a certification authority and means for 

supplying the certification authority with the public key 
generated by the mobile terminal and the associated 
result of the authentication process. 

There is further provided a mobile 

2 5 telecommunications terminal characterized in that it 

includes means for producing at least one key for 
decrypting messages received by the terminal and means 
for sending said key to a certification authority by 
means of a network call via a telephone network entity so 
30 that said key becomes a public key. 

Other characteristics, objects, and advantages of 
the invention become apparent on reading the following 
detailed description, which is given with reference to 
the appended single figure, which represents a 

3 5 certification infrastructure conforming to a preferred 

embodiment of the invention. 
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The idea is to generate the key pair (public key + 
private key) in the user's mobile and then to forward the 
public key to a certification authority via a secure 
channel of the mobile telephone network. 
5 This solution decentralizes the process and 

transfers the task of issuing the key pair to the mobile. 
It simplifies the certificate issuing/authentication 
stage and is of zero cost to the user. For the operator, 
the elements constituting the infrastructure are 

10 simplified. 

This solution also makes it possible to carry out 
the registration stage at a different time (it can easily 
be carried out at the time of subscribing to the mobile 
telephone service) . 

15 It therefore offers the advantage of virtually 

eliminating the registration stage. 

Elements specific to the current administration of 
keys and certificates are entered first. The means 
enabling use in a network environment of public keys and 

20 certificates with standardized formats are generally 
called a public key infrastructure. 

PKI administration is a complex subject (management 
of keys, management of certificates, revocation lists, 
recovery, etc. ) . 

25 The certificate issuing process depends on the 

certification authority issuing the certificates and how 
the certificates are used. A certificate must be issued 
in accordance with a clearly defined procedure if the 
certificate is to be of value in a "face to face" 

30 situation, for example when examining identity papers. 
Different trusted authorities have different 
certificate-issuing policies. 

In certain cases, an electronic address is 
sufficient on its own . 

35 In other cases, a UNIX or Windows login and a 

password are sufficient. 
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However, for certificates granting major 
prerogatives, the issuing process may require notarized 
documents to be provided beforehand or complete "face to 
face" verification of identity. 
5 Depending on the organization policy, the process of 

issuing certificates may take a form that is completely 
transparent for the user (which is to the detriment of 
security) or require the significant participation of the 
user and complex procedures . 
10 Certificate-issuing methods must generally be very 

flexible so that different organizations can adapt them 
to their particular requirements. 

Before a certificate is issued, the public key that 
it contains must be generated in corresponding 
15 relationship to a private key that is confidential. 

It may sometimes be beneficial to issue a person one 
certificate for signing purposes and another certificate 
for encryption purposes. 

To ensure high security, the private signature or 
2 0 encryption keys are held on a physical medium (smart 

card, dongle, USB, etc.) that is retained by the person 
that it represents. 

With the objective of recovery, the private 
encryption key is held on a protected central server from 
25 which it may be retrieved, for example if a user loses a 
key. 

An encryption key specifically dedicated to 
telephone calls is generally produced either locally (in 
a workstation or even in a smart card) or centrally (for 
30 example in a smart card personalization unit) . 

For example, local generation of keys maximizes non- 
repudiation but implies more participation by the user in 
the issuing process. Flexibility in managing keys is 
essential for most organizations, not forgetting the 
35 security aspect. 
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Like an identity card, a certificate has a period of 
validity. Any attempt to use a certificate before or 
after its period of validity will fail. 

Thus mechanisms for administering and renewing 
5 certificates are essential for a security policy. 

An administrator may wish to be advised when a 
certificate expires, and an appropriate renewal process 
may be therefore instituted to avoid any disagreement as 
to the use of certificates that have just expired. The 
10 certificate renewal process may involve using the same 
public key /private key pair again or issuing another 
pair . 

A certificate may be suspended even if it is still 
valid, for example in the event of theft. 
15 Similarly, it is sometimes necessary to revoke a 

certificate before its expiry date, for example if an 
employee leaves a company or is robbed of the medium 
storing a key pair. 

Certificate revocation consists in publishing a 
20 certificate revocation list (CRL) in a directory at 

regular intervals. Verification against that list is 
then an integral part of the authentication process . 

There follows a description of the elements that are 
usually employed in a telecommunications network to 
25 identify a party and to assure the security of a call, 
some of which elements described below are used in the 
present embodiment of the invention. 

A mobile network infrastructure is designed to 
guarantee high security. Thus the GSM uses 
30 authentication and encryption processes. To guarantee 
this high security, the network uses strong mobile 
authentication . 

The GSM uses four types of identity linked to the 

user : 

3 5 • the IMS I is known only within the GSM network; 

• the TMSI is a temporary identity used to identify 
the mobile during mobile /network interactions; 
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• the MSISDN is the user's telephone number, which 
is the only identifier known to the outside world; 

• the MSRN, which is a number assigned on setting up 
a call. 

5 Having outlined the common features of telephone 

communications networks, a few acronyms are defined next. 
SIM: subscriber identity module. 
IMSI : international mobile station identity, a 
unique identifier of the user (comprising 15 digits) 
10 stored in the SIM card. 

TMSI : temporary mobile subscriber identity, an 
identity specific to a VLR, temporarily identifying the 
user in the VLR. 

MSISDN: mobile station international ISDN number, an 
15 identity of the user that is visible in the telephone 
domain (e.g. 33 6 98 76 54 32) . 

IMEI : international mobile equipment identity, i.e. 
the identity of the terminal. 

MSRN: mobile station roaming number, the identity 
2 0 necessary for routing calls between the gateway MSC to 
the PSTN and the current MSC of the mobile. 

To prevent any use of a mobile account by a person 
other than the user 10, the GSM uses an authentication 
process aiming to protect both the user and the operator. 
25 When a user 10 is seeking to be authenticated on the 

network, the network sends the mobile a random number 
RAND via a communications entity 20. The SIM card 
calculates the RAND signature using the A3 algorithm and 
the private key Ki stored in the SIM card. 
30 The result SRES is then sent to the network. 

To be sure of the identity of this user, the network 
(the entity 20) does the same thing, i.e. calculates a 
RAND signature using the algorithm A3 and the key Ki 
specific to each user stored in a database. 
35 If the result calculated locally is identical to the 

result received, the user is authenticated; if not, the 
mobile is rejected. 
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To provide this confidentiality, an encryption key 
Kc is generated. This key is constructed using the 
random data transmitted by the network and a private key 
Ki specific to the user 10 and stored in the SIM card. 
5 With these two parameters a key Kc is generated by 

the A8 algorithm. The network (the entity 20) performs 
the same operation. 

The key Ki corresponding to the user previously 
identified is in an AUC (authentication centre) base and 
10 the network uses this key Ki to obtain the same 
encryption key Kc itself. 

The idea is to define a simplified PKI model, with 
the following objectives: reducing management costs for 
the operator, i.e. avoiding a costly and centralized 
15 architecture, and relying on the security of the 
telephony architecture and in particular on the 
identification/authentication procedures on which the 
system relies. 

Note that this solution can be applied to secure 
20 communication, for example to preserve the 

confidentiality of communication in a working environment 
or in the context of peer-to-peer communication. 

As indicated above, the authentication procedure has 
high-security elements. Once this stage 
25 (authentication/confidentiality) has been completed, the 
idea is to generate a key pair in the telephone. 

Afterwards, the user 10 sends the public key to a 
certification operator (here the entity 20 itself) . The 
certification operator role is therefore performed at 
30 least in part by the mobile telephone operator itself. 

Accordingly, authentication on the GSM network is 
strong authentication (involving possession of a security 
element and a secret) . 

Sending to the certification server 3 0 is effected 
35 in a secure tunnel. 

In other words, after receiving the public key the 
operator 2 0 can certify the key received because it is 
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certain of the identity corresponding to the public key- 
presented: no identity theft is possible on the GSM 
network. The operator 2 0 then returns the certificate to 
its proprietor (if the entity 20 and the certification 
5 authority are one and the same) and/or deposits it in the 
public certification server 30. 

The advantages of this solution are enormous, in 
particular the simplified certification procedure, the 
absence of any recovery process, and decentralized 

10 management transferred to the client. 

The idea is therefore to generate the key pair in 
the mobile 10 so that the distinguished name (DN) for 
each certificate holder is the holder's telephone number 
and each certificate holder generates the corresponding 

15 key pair and obtains a certificate by sending the key 
pair for certification in the conventional way. The 
server determines the origin of the call automatically 
using the DN. 

The sender (the user 10) is authenticated by the 

20 telephone network (the entity 20) . The certification 

entity 3 0 that generates the certificate in corresponding 
relationship to the received key is certain of the 
identity certified in the certificate thanks to the 
identification by the telephone entity 2 0 and its 

25 standard mobile terminal identification means. 

The server 3 0 can therefore finally generate the 
certificate corresponding to the public key received and 
send the certificate to its proprietor. 

The method described is executed by a computer 

3 0 program. 

That computer program is designed to be stored in 
and/or transmitted by a data medium and includes software 
instructions for having the method executed by an 
electronic data processing device, in this instance the 

3 5 measuring device described. 



